// build LocalSubjectAccessReview struct to validate role via checkAccess func (o *podNodeConstraints) checkPodsBindAccess(attr admission.Attributes) (bool, error) { ctx := kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), attr.GetNamespace()), attr.GetUserInfo()) authzAttr := authorizer.DefaultAuthorizationAttributes{ Verb: "create", Resource: "pods/binding", APIGroup: kapi.GroupName, } if attr.GetResource().GroupResource() == kapi.Resource("pods") { authzAttr.ResourceName = attr.GetName() } allow, _, err := o.authorizer.Authorize(ctx, authzAttr) return allow, err }